Professional Documents
Culture Documents
Spotlight Report
Presented by
Group Partner
Information
Security
TABLE OF CONTENTS
Overview 3
Key Survey Findings 4
THREAT DETECTION
Monitoring of Applications 16
User Behavior Monitoring 17
Insider Threat Analytics 18
Speed of Detection 19
SECURITY TOOLS & PROCESSES
Controls to Combat Insider Threats 21
Focus on Deterrence 22
Budget Priorities 23
Insider Threat Approach & Most Effective Tools 24
Keeping Track of Security Incidents 25
RECOVERY & REMEDIATION
Speed of Recovery 27
Cost of Remediation 28
INSIDER THREAT Damage Estimates 29
Holger Schulze
Group Founder Group Partner
Information Security
Community on LinkedIn Information
hhschulze@gmail.com Security
Privileged users, such as managers with access to sensitive information, pose the
1 biggest insider threat to organizations (59 percent). This is followed by contractors
and consultants (48 percent), and regular employees (46 percent).
62 percent of respondents say that insider attacks are far more difficult to detect
4 and prevent than external attacks.
Data leaks stemming from insider attacks are most concerning to the survey respondents (63 percent). Respondents
are slightly more concerned about inadvertent data breaches (57 percent) than malicious breaches (53 percent).
11001010110010101
010PASSWORD10
11001010110010101
11001010110010101
57%
Inadvertent
Data Breach
(careless user)
63%
Data Leaks
53%
Malicious
Data Breach
Databases (57 percent) and file servers (55 percent) are considered most vulnerable to insider attacks.
After all, this is where the majority of sensitive data resides.
Databases 57%
File servers 55%
Mobile devices
44%
Endpoints
42%
Business applications
41%
Network
36%
Cloud applications
31%
Q: What IT assets are most vulnerable to insider attacks?
Privileged users, such as managers with access to sensitive information, pose the biggest insider threat (59 percent).
This is followed by contractors and consultants (48 percent), and regular employees (46 percent).
59% Privileged
48%
Contractors/Consultants
46%Regular
Users Temporary Workers Employees
Q: What user groups do you believe pose the biggest security risk?
Collaboration & communication apps, such as email, are most vulnerable to insider attacks (45 percent), followed
by cloud storage & file sharing apps such as Dropbox (43 percent). Finance and accounting apps come in third
with 38 percent.
#1 45% Collaboration
& communication
29% #5 Sales & Marketing
(CRM, marketing automation, etc)
27% #7 Website
#3 38% 3 Finance
& accounting
Q: In your opinion, what types of applications are most vulnerable to insider attacks?
Due to its value to attackers, customer data is most vulnerable to insider attacks (57 percent), closely followed by
intellectual property (54 percent), and financial data (52 percent).
7%
TO INSIDER ATTACKS
ta
5
a
e rd
m
sto
Cu
45%
4%
c tual
5Intellpeerty
30% 20%
Employee
pro data
Sales & Healthcare
marketing data data
2 %
5 ns ial
itiv
Senanc
e data
fi
6 %
4 mpany
Coata
d
Endpoints are by far the most common launch point for insider attacks (56 percent), highlighting the need for
robust endpoint security and policies. This is followed by networks (43 percent) and mobile devices (42 percent)
as starting points of insider attacks.
56%
Endpoints
43%
Network
42%
Mobile devices
File servers 35% | Cloud applications 22% | Databases 22% | Business applications 22% | Not sure / Other 14%
Q: What IT assets are most commonly used to launch insider attacks from?
awareness (50 percent). Increasing number of devices with access to sensitive data 50% |
More employees, contactors, partners accessing the network 34% |
Increased public knowledge or visibility of insider threats that were previously undisclosed 27% |
Increasing amount of sensitive data 27% | Technology is becoming more complex 25% |
Not sure / Other 7%
Q: What do you believe are the main reasons why insider threats are rising?
9%
4% 6%
19%
64%
vulnerable to
23%
insider threats
39% Extremely vulnerable Slightly vulnerable
Very vulnerable Not at all vulnerable
Moderately vulnerable Not sure
A majority of respondents (62 percent) say that The key reasons for the difficulty in detecting and
insider attacks are more difficult to detect and preventing insider attacks are that insiders often already
prevent than external attacks. have access to systems and sensitive information
(66 percent), the increased use of cloud based apps
(58 percent), and the rise in the amount of data that is
More difficult
leaving the protected network perimeter (42 percent).
than detecting and
preventing external
cyber attacks
62%
66%
Insiders already have
About as difficult credentialed access to
as detecting and
preventing external
cyber attacks
25% the network and services
58%
Increased use of applications
detecting and
preventing external
cyber attacks
8% that can leak data (e.g., Web
email, DropBox, social media)
Not sure
5%
42%
Increased amount of data
that leaves protected
boundary / perimeter
Q: How difficult is it to detect and prevent insider attacks Q: What makes the detection and prevention of insider
compared to external cyber attacks? attacks increasingly difficult compared to a year ago?
45 percent of respondents can’t determine whether their organizations experienced insider attacks in the last
12 months. 22 percent experienced between one and five attacks. About a quarter of organizations believe they
experienced no attacks at all. The average number of known insider attacks is 3.8 incidents per organization per
year.
Q: How many insider attacks did your organization experience in the last 12 months?
Three in four companies monitor the security Q: Does your organization monitor security
configurations / controls of your applications?
controls of their applications.
9% 9%
15%
15% Yes
No Yes
75%
Not sure
No
75%
Not sure
48%
Visibility Into User Behavior Q: What level of visibility do you
have into user behavior within
Most organizations (48 percent) rely on LOG core applications?
server logs to review user behavior.
Only 28 percent have deployed dedicated
Server Logs
user activity monitoring solutions. In-app audit system / Feature 31% | Have deployed user activity monitoring 28% |
No visibility at all 17% | Have deployed keylogging 7% | Not sure / Other 18%
Q: Do you monitor abnormal user behavior across your cloud footprint (SaaS, IaaS, PaaS)?
50 percent of organizations do not use analytics to determine insider threats. Of the 30 percent of organizations
that leverage analytics, one third uses predictive analytics and two thirds deploy behavior analytics.
Not sure
30%
20%
10%
leverage analytics
20%
Yes - predictive analytics
50%
Among the IT professionals who have an opinion on the speed of detecting an insider attack, the most
frequent response times are a week or less (42 percent), and for 28 percent of respondents typically within
the same day or faster. Perhaps most worrisome is that 40 percent of respondents simply don’t know how
long detection of an insider attack against their organization would take or have no ability to detect insider
attacks at all.
42%
Within minutes
6%
1 2 3 4 5 6 7
Within hours
11%
4%
Don’t know
how long
within the same
Longer than six months
Q: How long would it typically take your organization to detect an insider attack?
30 percent of organizations
today do not have the
appropriate controls to
prevent an insider attack.
x NO 30%
47% YES
Most organizations place their insider threat management focus and resources on deterrence tactics (63 percent),
followed by detection (51 percent) and analysis & forensics (41 percent).
8% 8% 14%
Q: What aspect(s) of insider threat management does your organization mostly focus on?
Deception None Not sure / Other
(e.g., honeypots, etc.)
Share the INSIDER THREAT Spotlight Report 23
Barriers to Better Insider Threat Management
11%
Budget Priorities
One of the best indicators of changing priorities is
Budget
will decline
34%
Budget will
the budgeting process. For the respondents who increase
have visibility into the budgets allocated to insider
threat management, over a third expect budgets to
increase. For 55 percent of respondents budgets
will stay flat, and only 11 percent expect a decline.
55%
Budget will
stay flat
Q: How is your budget changing in the next 12 months to better detect and prevent insider attacks?
User training is the most popular tactic to Q: How does your organization combat insider threats today?
combat insider threats (45 percent) followed
by background checks (41 percent) and user
activity monitoring (39 percent).
User training
45%
Background
checks 41%
User activity
monitoring 39%
Native security features of underlying OS 28% | Secondary authentication 21% |
Password vault 18% | Specialized third party applications and devices 18% |
Custom tools and applications developed in house 16% |
Managed Security Service provider 11% | We do not use anything 7% |
Not sure / Other 14%
Q: What security tools are most effective in protecting against insider attacks?
Most Effective Tools
Policies and training (36 percent) are considered
the most effective tools in protecting against
insider threats. Data loss prevention (DLP) tools
36% 31% 30%
(31 percent) and identity and access management
(IAM) (30 percent) round out the top three. Policies & Data Loss Identity and access
training Prevention (DLP) management (IAM)
User monitoring 28% | User behavior anomaly detection 28% | Encryption of data at rest, in motion, in use 28% | Log analysis 26% |
Security information and event – management (SIEM) 26% | Data Access Monitoring 24% | Intrusion Detection and Prevention (IDS/IPS) 23% |
Security analytics & intelligence 21% | Multifactor authentication 20% | Endpoint and mobile security 20% | Network defenses (firewalls) 16% |
Password vault 11% | Enterprise Digital Rights Management solutions (EDRM) 6% | Cloud Security Gateway 5% | Not sure / Other 8%
NO 26%
67% YES
NOT SURE 6%
67%
Use central
help desk /
ticketing system
Q: Do you use a central help desk / ticketing system for security incidents?
The expected speed of recovery from an insider attack follows the same pattern we are seeing for speed of
detection. The most common recovery times are a week or less (40 percent). In this context, recovery is defined
as closing down the attack vector, considering that a successful attack can result in long lasting economic and
reputation damage to the organization. 40 percent of respondents simply don’t know how fast their organization
would recover from an insider attack.
8% 6% 2% 2% 2% 40%
Within one month Within three months Within six months Longer than No ability to recover Don’t know / Not sure
six months
Q: How long would it typically take your organization to recover from an insider attack?
Successful insider attacks can be costly to Q: What is the estimated, average cost of remediation after an insider attack?
organizations, from immediate economic
impact to long term damages in reputation 1/3 estimates
and customer trust. Over a third of survey cleanup costs 50%
respondents estimate remediation costs to reach up to $500K
up to $500,000 per attack. Of those that are per attack
able to estimate the average cost of remediation,
24 percent believe the cost exceeds $500,000 22%
and can reach in the millions. The overall 16%
estimated cost of remediating a successful 6% 3% 3%
insider attack is around $445,000. With an
average risk of 3.8 insider attacks per year, the
< $100K $100K $500K $1M to > $2M Not sure
total remediation cost of insider attacks can to $500K to $1M $2M
quickly run into the millions of dollars.
Q: Within your organization, how difficult is it to determine the actual damage of an occurred insider threat?
The Insider Threat Spotlight Report is based on the results of a comprehensive survey of over 500 cybersecurity professionals
to gain more insight into the state of insider threats and solutions to prevent them.
The respondents range from technical executives to managers and IT security practitioners, and they represent organizations of
varying sizes across many industries. Their answers provide a comprehensive perspective on the state of cloud security today.
C AR EER LE VEL
20% 18% 12% 12% 12% 9% 1% 16%
Specialist Consultant Owner / CEO / President Manager / Supervisor Director CxO Vice President Other
D EPARTM ENT 1%
IT Security IT Operations Sales Operations Engineering Product Management Compliance Marketing HR Finance
Other
CO M PAN Y SIZE
14% 19% 23% 17% 6% 21%
Fewer than 10 10-99 100-999 1,000 4,000 5,000 – 10,000 Over 10,000
I N DUSTRY
20% 12% 10% 8% 7% 6% 6% 5% 4% 4% 4% 3% 10%
Technology, Software & Internet Information Security Financial Services Education & Research Government Professional Services
Computers & Electronics Manufacturing Energy & Utilities Healthcare, Pharmaceuticals, & Biotech Telecommunications Other
Bitglass | www.bitglass.com
In a world of cloud applications and mobile devices, IT must secure corporate data that resides on third-
party servers and travels over third-party networks to employee-owned mobile devices. Existing security
technologies are not suited to solving this task, since they were developed to secure the corporate network
perimeter. Bitglass is a Cloud Access Security Broker that delivers innovative technologies that transcend the
network perimeter to deliver total data protection for the enterprise - in the cloud, on mobile devices and
anywhere on the Internet. Founded in 2013 by industry veterans with a proven track record of innovation,
Bitglass is based in Silicon Valley and backed by venture capital from NEA and Norwest.
Fasoo | www.fasoo.com
The Fasoo data security framework helps organizations to facilitate and enhance their information security
framework based on a data-centric security model with people-centric policies in multi-layered approaches in
complex enterprise IT environments. The Fasoo data security framework is ideal for a diversified collaboration
environment in cloud and mobile, effective for insider threat management and a last resort against possible
APT. Fasoo has successfully retained its leadership in the data-centric security market by deploying solutions
for more than 1,200 organizations in enterprise-wide level, securing more than 2.5 million users.
LightCyber | www.lightcyber.com
LightCyber is a leading provider of Active Breach Detection solutions that accurately detect active cyber
attacks that have circumvented traditional threat prevention systems. The LightCyber Magna™ platform is the
first security product to simultaneously profile both network traffic and endpoint state in order to accurately
detect compromised user accounts and devices early in the attack lifecycle, and to enable security operators
to remediate breaches and stop attacks before real damage is done. Founded in 2011 and led by world-class
cyber security experts, the company’s products have been successfully deployed by top-tier customers around
the world in the financial, legal, telecom, government, media and technology sectors.
ObserveIT | www.observeit.com
ObserveIT is the world’s leading provider of user activity monitoring software. Founded in 2006, ObserveIT
is the only security software company that provides user behavior analytics, alerting and visual forensics to
know when users put your business at risk. With ObserveIT, information security teams are able to detect data
misuse within core applications, see exactly what’s happening in live sessions and act in real time. To do this,
ObserveIT provides screen-recording technology to capture all user activity regardless of the environment and
converts screenshots into user activity logs that makes it easy to search, analyze, audit and act upon alerts.
ObserveIT has more than 1,200 customers in over 70 countries.
Palerra | www.palerra.com
Palerra designed LORIC™ to provide continuous compliance, threat visibility, and automated incident response
for an organization’s entire cloud footprint (SaaS, PaaS, and IaaS) in a single platform. It automates all steps of
the security lifecycle to enable organizations to keep pace with the rapidly increasing volume of cloud usage
as well as the velocity of change in the threat landscape. LORIC does so without any hardware or software,
and does not impact the native user experience for cloud usage. Today enterprises across financial services,
consumer hospitality, hi-technology and more use LORIC from Palerra, to secure their Cloud footprint.
SpectorSoft | www.SpectorSoft.com
SpectorSoft is the leader in user activity monitoring and an innovator in user behavior analysis software.
SpectorSoft has helped more than 36,000 businesses, government organizations, schools and law enforcement
agencies improve how they address security and achieve compliance. SpectorSoft award-winning solutions
include enterprise-grade insider threat detection software, a powerful user activity monitoring solution
deployed by thousands of companies in more than 110 countries, robust Event and Security Log Management,
and the world’s leading employee investigation tool.
Group Partner
Information
Security
Share the INSIDER THREAT Spotlight Report 35
All Rights Reserved. Copyright 2015 Crowd Research Partners.
This work is licensed under a Creative Commons Attribution 4.0 International License.